Merge pull request #115 from gammarers/feature/cgange-class

feat: change class

README.md

@@ -37,26 +37,33 @@ pip install gammarers.aws-waf-ip-restrict-rule
 ```typescript
 import { WAFIPRestrictRule } from '@gammarers/aws-waf-ip-restrict-rule';
 
-const ipRestrictRule = new WAFIPRestrictRule(stack, 'WAFIPRestrictRule', {
-  allowIpAddresses: [
-    '192.0.2.0/24',
-    '198.51.100.0/24',
+const allowedIpSet = new wafv2.CfnIPSet(stack, 'AllowedIpSet', {
+  addresses: [
     '203.0.113.0/24',
+    '198.51.100.0/24',
   ],
-  scope: WAFIPRestrictRuleScope.GLOBAL,
-  priority: 1,
+  ipAddressVersion: 'IPV4',
+  scope: 'CLOUDFRONT',
+  name: 'AllowedIpSet',
+});
+
+const ipRestrictRule = new WAFIPRestrictRule({
+  allowIPSetArn: allowedIpSet.attrArn,
 });
 
 new wafv2.CfnWebACL(stack, 'WebACL', {
   defaultAction: { allow: {} },
-  scope: 'CLOUD_FRONT',
+  scope: 'CLOUDFRONT',
   name: 'WebAclWithCustomRules',
   visibilityConfig: {
     cloudWatchMetricsEnabled: true,
     metricName: 'WebAclMetric',
     sampledRequestsEnabled: true,
   },
-  rules: [ipRestrictRule.rule],
+  rules: [
+    ipRestrictRule.allowRule({ priority: 1 }),
+    ipRestrictRule.blockRule({ priority: 2 }),
+  ],
 });
 
 ```

src/index.ts

@@ -1,53 +1,55 @@
 import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
-import { Construct } from 'constructs';
 
-export enum WAFIPRestrictRuleScope {
-  GLOBAL = 'Global',
-  REGIONAL = 'Regional',
-}
-
-export interface WAFIPRestrictRuleProps {
-  readonly allowIpSetName?: string;
-  readonly allowIpAddresses: string[];
-  readonly scope: WAFIPRestrictRuleScope;
+export interface RuleConfig {
   readonly priority: number;
   readonly ruleName?: string;
   readonly cloudWatchMetricsName?: string;
 }
 
-export class WAFIPRestrictRule extends Construct {
+export interface WAFIPRestrictRuleProps {
+  readonly allowIPSetArn: string;
+}
 
-  public readonly rule: wafv2.CfnWebACL.RuleProperty;
+export class WAFIPRestrictRule {
 
-  constructor(scope: Construct, id: string, props: WAFIPRestrictRuleProps) {
-    super(scope, id);
-    // IPSet を作成
-    const ipSet = new wafv2.CfnIPSet(this, 'IPSet', {
-      addresses: props.allowIpAddresses,
-      ipAddressVersion: 'IPV4',
-      scope: ((): string => {
-        switch (props.scope) {
-          case WAFIPRestrictRuleScope.GLOBAL:
-            return 'CLOUDFRONT';
-          case WAFIPRestrictRuleScope.REGIONAL:
-            return 'REGIONAL';
-        }
-      })(),
-      name: props.allowIpSetName || 'allow-ip-set',
-    });
+  constructor(private props: WAFIPRestrictRuleProps) {
+  }
 
-    this.rule = {
-      name: props.ruleName || 'block-ip-rule',
-      priority: props.priority,
-      action: { block: {} },
+  allowRule(config: RuleConfig): wafv2.CfnWebACL.RuleProperty {
+    return {
+      name: config.ruleName || 'allow-ip-rule',
+      priority: config.priority,
+      action: { allow: {} },
       visibilityConfig: {
         cloudWatchMetricsEnabled: true,
-        metricName: props.cloudWatchMetricsName || 'BlockIPMetric',
+        metricName: config.cloudWatchMetricsName || 'AllowIPMetric',
         sampledRequestsEnabled: true,
       },
       statement: {
         ipSetReferenceStatement: {
-          arn: ipSet.attrArn,
+          arn: this.props.allowIPSetArn,
+        },
+      },
+    };
+  }
+
+  blockRule(config: RuleConfig): wafv2.CfnWebACL.RuleProperty {
+    return {
+      name: config.ruleName || 'block-other-ip-rule',
+      priority: 2,
+      action: { block: {} }, // 拒否アクション
+      visibilityConfig: {
+        cloudWatchMetricsEnabled: true,
+        metricName: config.cloudWatchMetricsName || 'BlockOtherIpMetric',
+        sampledRequestsEnabled: true,
+      },
+      statement: {
+        notStatement: {
+          statement: {
+            ipSetReferenceStatement: {
+              arn: this.props.allowIPSetArn,
+            },
+          },
         },
       },
     };